Vulnerabilities > CVE-1999-0997

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
millenux-gmbh
university-of-washington
redhat
nessus
exploit available
NVD
Published: 1999-12-20
Updated: 2008-09-05

Summary

wu-ftp with FTP conversion enabled allows an attacker to execute commands via a malformed file name that is interpreted as an argument to the program that does the conversion, e.g. tar or uncompress.

Vulnerable Configurations

Part Description Count
Application
Millenux_Gmbh
1
Application
University_Of_Washington
3
OS
Redhat
3

Exploit-Db

descriptionwu-ftpd 2.4.2/2.5 .0/2.6 .0/2.6.1/2.6.2 FTP Conversion Vulnerability. CVE-1999-0997. Remote exploit for unix platform
idEDB-ID:20563
last seen2016-02-02
modified1999-12-20
published1999-12-20
reportersuid
sourcehttps://www.exploit-db.com/download/20563/
titlewu-ftpd 2.4.2/2.5 .0/2.6.0/2.6.1/2.6.2 - FTP Conversion Vulnerability

Nessus

NASL familyDebian Local Security Checks
NASL idDEBIAN_DSA-377.NASL
descriptionwu-ftpd, an FTP server, implements a feature whereby multiple files can be fetched in the form of a dynamically constructed archive file, such as a tar archive. The names of the files to be included are passed as command line arguments to tar, without protection against them being interpreted as command-line options. GNU tar supports several command line options which can be abused, by means of this vulnerability, to execute arbitrary programs with the privileges of the wu-ftpd process. Georgi Guninski pointed out that this vulnerability exists in Debian woody.
last seen2020-06-01
modified2020-06-02
plugin id15214
published2004-09-29
reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/15214
titleDebian DSA-377-1 : wu-ftpd - insecure program execution
code
#%NASL_MIN_LEVEL 80502

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-377. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(15214);
  script_version("1.15");
  script_cvs_date("Date: 2019/08/02 13:32:17");

  script_cve_id("CVE-1999-0997");
  script_xref(name:"DSA", value:"377");

  script_name(english:"Debian DSA-377-1 : wu-ftpd - insecure program execution");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"wu-ftpd, an FTP server, implements a feature whereby multiple files
can be fetched in the form of a dynamically constructed archive file,
such as a tar archive. The names of the files to be included are
passed as command line arguments to tar, without protection against
them being interpreted as command-line options. GNU tar supports
several command line options which can be abused, by means of this
vulnerability, to execute arbitrary programs with the privileges of
the wu-ftpd process.

Georgi Guninski pointed out that this vulnerability exists in Debian
woody."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.debian.org/security/2003/dsa-377"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"For the stable distribution (woody) this problem has been fixed in
version 2.6.2-3woody2.

We recommend that you update your wu-ftpd package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wu-ftpd");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2003/09/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"3.0", prefix:"wu-ftpd", reference:"2.6.2-3woody2")) flag++;
if (deb_check(release:"3.0", prefix:"wu-ftpd-academ", reference:"2.6.2-3woody2")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

Statements

contributorJoshua Bressers
lastmodified2006-09-27
organizationRed Hat
statementRed Hat does not consider CVE-1999-0997 to be a security vulnerability. The wu-ftpd process chroots itself into the target ftp directory and will only run external commands as the user logged into the ftp server. Because the process chroots itself, an attacker needs a valid login with write access to the ftp server, and even then they could only potentially execute commands as themselves.

References